SSH certificates
Dave Cottlehuber
dch at skunkwerks.at
Thu Nov 21 12:00:15 UTC 2019
On Thu, 21 Nov 2019, at 10:41, Julien Cigar wrote:
> Hello,
>
> I'd like to setup an automated mechanism to replace SSH keys and
> autorized_keys management with SSH certificates. Basically every member
> of the team who arrives in the morning should authenticate to an
> authority (some daemon in a very secure jail which implement a local CA
> + key sign) and should receive back a signed certificate with a validity
> period of x hours.
>
> After digging a little I found https://smallstep.com/certificates/
> and https://smallstep.com/cli/ (which aren't packaged BTW) but I'm
> wondering if there were others similar tools ..?
>
> Thanks!
You can do all of that manually and there is a very nice book that covers it in ssh mastery or go through these
https://man.openbsd.org/ssh-keygen#CERTIFICATES
https://blog.habets.se/2011/07/OpenSSH-certificates.html
smallstep is very nice and I’ve considered packaging it. At work we use vault extensively and I haven’t used it for this purpose but it should do very nicely https://www.vaultproject.io/docs/secrets/ssh/signed-ssh-certificates.html and it’s already in ports.
Personally I am not keen on having such a large trust perimeter but it will likely depend on your preference for automation vs convenience.
A+
Dave
More information about the freebsd-questions
mailing list